Versions Compared

Version Old Version 4 New Version 5
Changes made by

Harry Sanderson

Joe Checketts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties
hiddentrue

Document number:

DOC-XXX-XXXXXX

Document type:

Public

Responsibility for implementation & training:

Cyber Essentials Manager

CB contract doc/ schedule:

YES

Scheme

Cyber Essentials

Reason for change:

Initial Version

Approved by:

Approved date:

Next review:

Review and consultation process:

Reviewed Annually by CEO

Master Link:

Associated documentation:

Distribution:

What is meant by cloud services?

Different components of computing are available to users remotely over the internet and payable on demand or by subscription. Cloud services is the collective name for these externally manged services. Examples are: Microsoft 365, Dropbox, Googledrive, AWS and Citrix Workspace.

Most organisations use a great many cloud services, it allows for a flexible and collaborative use of a resource without having to make the large outlay for ever changing technology. Cloud computing has revolutionised working models by allowing workers to access and share company information from any location and deliver services online.

Where is ‘the cloud’?

Most servers used for cloud services are owned by private organisations such as Amazon, Microsoft or Apple, they keep millions of peoples’ data that is made accessible to them via the internet. The biggest data storage servers in the world are located in China, USA and India, some are even situated at the bottom of the ocean.  The location of the computers in ‘the cloud’ that hold your data is very important.  This is the legal location of the data, and if that is ‘personal data’, you may be breaking the law if it is located outside the UK or the European Union.  It is also important to know something about the company that is hosting the cloud service and looking after the computers which hold your data.  Many data centres are kept up to date and secure, but some are not, and may put your data at risk. 

How does cyber security apply to cloud services?

If workers can access organisation information over the internet from any location, so can criminals, and this has resulted in an increasing number of attacks on cloud services, using techniques to steal user's passwords to access their accounts. For this reason, it is important that these services are set up correctly and have the essential security controls in place.

...

(See guidance on the shared responsibility model)

What is the difference between public, private and hybrid cloud? 


Public cloud services are the wide spread and commonly used cloud computing model. All the resources needed to run the infrastructure (servers, storage, networking components, and supporting software) are owned and managed by the third-party provider, and accessed by the users within organisations over the Internet via a web browser. In a public cloud,  companies share the infrastructure with other organisations, but data and workloads are usually kept isolated from each other in a safe and secure virtual space. Rather than having to own and operate the hardware, organisations pay only for the services they actually use.
A private cloud service is a computing infrastructure devoted to use by a single organisation. It can be housed in a privately owned data centre facility or at that of a third-party service provider. The defining characteristic is that the IT resources are run and maintained on a private network for one user organisation only and consequently, the security controls are under their full management.
Hybrid cloud is any environment that uses both public and private cloud.

For the purpose of this guidance, we are talking about public cloud services.

Where to start?

In order to protect your organisational data that is located in the cloud, start by creating a list of all the cloud services used within your organisation.

The three main categories of cloud computing

There are three major cloud service models. The aaS letters stand for ‘as a service’ which means organisations can rent facilities that are physically elsewhere for a range of different purposes.

...

For the IaaS model, the cloud service provider only provides the hardware, all of the security and backing up is the user organisation’s responsibility.
Examples of IaaS include Rackspace, Google Compute Engine, or Amazon EC2.

What are the security risks to cloud services?

Most data breaches in the cloud occur when criminals are able to gain access through badly configured accounts and interfaces to locate valuable data. This is usually due to weak user access control and misconfiguration and is the responsibility of the cloud service customer.

...